Analysis
-
max time kernel
12s -
max time network
14s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
02-01-2025 16:20
General
-
Target
https://drive.google.com/file/d/1VDklMQMlyabJbqwV9SMyM2HFZY4RjTBQ/view?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1VDklMQMlyabJbqwV9SMyM2HFZY4RjTBQ/view?usp=drive_link"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1VDklMQMlyabJbqwV9SMyM2HFZY4RjTBQ/view?usp=drive_link2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81eafd3e-2596-4a22-abea-7318c84561e9} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2436 -prefsLen 24759 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed1b1ce-6912-4797-b78a-fb6d50e7c6fa} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3056 -prefsLen 22700 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ac5aab-2dd9-47c6-87a1-75548d055ebb} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 29249 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec7f7d19-4955-4c41-892e-cd365b7832f5} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4712 -prefsLen 29249 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1897ce8-7611-4ed9-95c1-7d5f4c4e6471} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b3733c-9195-411d-89b2-27333fd5297f} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6e728c-1147-49f4-88cb-eb2b56c64dc5} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5856 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {392e3dd4-a656-4d2e-bfc4-b18a78576f38} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 6 -isForBrowser -prefsHandle 6164 -prefMapHandle 5500 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd6b2477-096e-4943-9312-43a8af24f78d} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3888,i,690293423614796501,17475910179943560176,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD551cbcb48aef421dfceeea8be9aa9409a
SHA14b684f442581d1196b24ea1b02374bfc4fda9df4
SHA256bf814782f9e66167f3dfa7216d928248e33186d5bacc1bb59166d80833829fb0
SHA5128c582a695df5b297da9c6efd835a42ccb96070a0cab64e1a32583f23dbe30efc18cad2bafc6241b069600c4676189f2d07511e19e5b7a1d0ed8e31ced7269092
-
Filesize
7KB
MD5d99041981abaf96279d04762d128c20e
SHA1ee91dd3b9e3bb3dd4a63869147b75bf1908fdabe
SHA256851f2f8cd22435b63b75d77605424bb0c1f8bcbed8d058f4bdca907113ddc225
SHA512e47d5f9e2fb91862f04735419bc475d37425c9df7927e380848e21d8e8c5a1d6098143e81bab3a516b0c309e9a4b6e18e9c9d2405c2c46d66ecd7f9e68178134
-
Filesize
5KB
MD550e6f17798c4efb831efd1e806e1ce09
SHA1cbcb883a5dfd535ede6f0775ad1004992e14e439
SHA256b7f2e40798538541e1e69d8d0fe303cf713fecb3ef083ced257210695f880640
SHA5122d735a8d6d66f4a142f35febf1d9a01bc30d80b17ceb357dad6a507991091e48b098b429229ca60b5c25fdb56c422a63f926960c095d995711d9e5bd671bd3fe
-
Filesize
671B
MD53506513c54b073987cb4058d8ae44ea0
SHA19cd976566018df678d6b2c51eafddd00bc6d8145
SHA256ef9116ae660e6e2eea6c5022f7ee32510aa7c59685bc61998550647b30b3fbcd
SHA512633466ebc12955f1091baadcb6b0d7d3b114dd2e919662547e57ad0651a7c12900712af64bf882a549ef8dad306f1d74a9ae772f697bf92829a3f6b80ff3f413
-
Filesize
27KB
MD5c40aabe94e54e3428fc0b5a16537ccec
SHA117e2d3d212bd0ccac4c113df4433babc413960ad
SHA256cb1baaaadfc1d96fd7f9b3aaa636cbf013248db75dbfac84ff1f107becce0dae
SHA512e437ae9430db54548c7e0b5b3f661689967e06209191d747ddccb30665c3e4b6d563fa425a4e4538db61a1ca280fe1f236359b8f188bfada19692c4444383638
-
Filesize
982B
MD5d5f8c7530710d0935d13d061852eb829
SHA18cbbda8229510b58e1418c8b1d492b7fa333998f
SHA2560c6fe605d9feb57189eefab8cd444528003d904834193dd22813d9f2861904f3
SHA5124fd2c71b05153b2125032eb97b8136d7709f65942934a1c1c9ef2b61cd0e5c7877b33ee5049a5ada1b826cc13fead9e30eb6aa03533840e7c50fa0cef30ff05c
-
Filesize
10KB
MD5883d214a764bfa2f3c93793471ae8a11
SHA1f0f54649b2c424e124d3fa02a214b792788f9cbc
SHA256d53bd120995674264a599243b590049ad8b5746760d359385332d79980dd1c6e
SHA512fc042934c9109665c21a9e472781c4ed7e1d86eee854b20878227e43680128dcee6a7285a5e2d3008e5a2683227194a8f94438b6eee62a338046a629b3e36b51